I have made the following webpages on using L2TP/IPsec with Linux:
1.2 Author
The author of this document is Jacco de Leeuw. Corrections, additions, extra information etc. are much appreciated.
In addition to Microsoft's clients, there are other clients that support L2TP/IPsec:
The big question of course is: why would you want to use L2TP with SoftRemote or Sentinel? Both support multiple mechanisms to acquire virtual IP addresses from the internal network. For instance: DHCP, manual configuration, as well as L2TP/IPsec. I can think of a few reasons to use the latter.
Some users may prefer the Microsoft clients, mainly because they are free. Others prefer a third-party client, because the third-pary will provide support. From a system administrative point of view, L2TP/IPsec allows you to use the Microsoft clients and SoftRemote/Sentinel at the same time. You can migrate from one type of client to the other, if you want. Another reason is that L2TP supports non-IP protocols such as IPX and SNA (not tested by me). Plus, L2TP/IPsec is an official IETF standard.
I used Sentinel 1.3 and 1.4/1.4.1 with Openswan. Other versions
should work too. An exception may be SSH
Sentinel v1.2 ("Internetpilot") which is free for non-commercial
and
educational use, but it is also old and buggy.
Note that Sentinel uses the L2TP-CERT and L2TP-PSK example Openswan configuration files, i.e. it requires leftprotoport=17/1701 and not leftprotoport=17/0 (as explained here). Sentinel supports both certificates and PSKs. Below is the procedure for certificates. PSKs are even easier to use, check the Sentinel manual if you want to use them.
(Text and screenshots are based on version 7.0.5. Also tested was
version 9.2.1 Build 2).
SoftRemote supports a large number of options. This section provides
a general idea of how to configure SoftRemote. I won't discuss every
option. The helpfile contains excellent instructions. Simply press F1
in
SoftRemote to show the helpfile and search the index for "L2TP".
SoftRemote supports both IPsec and L2TP. On Windows 9x/ME it adds
its own virtual adapter ("SafeNet VPN Adapter") which is used for both
IPsec and L2TP. On Windows 2000/XP the setup is a bit different. First,
SoftRemote disables Windows' built-in IPsec. Then it adds its own IPsec
support to the network stack. For L2TP it relies on the built-in L2TP
support of Windows 2000/XP (more about that below).
SoftRemote supports both certificates and PSKs. Here's how to import
a certificate (skip this if you want a PSK):
You have now configured the IPsec part of SoftRemote.
Setting up the L2TP part on Windows 2000/XP is very similar to
setting up a dial-in connection using the native client of Windows
(described here). I.e. you
simply use the New Connection Wizard to create a new L2TP connection.
Be
sure to type in the exact same IP address of the server (192.168.0.222
in the example above)! If you make a typo, Windows 2000/XP may set up a
connection to the wrong server which is not protected by IPsec.
Under Win9x/ME the procedure is very similar to setting up a dial-in connection with the MSL2TP client (described here). The difference is that the adapter is called "SafeNet VPN Adapter" instead of "Microsoft L2TP/IPSec VPN Adapter". The SoftRemote helpfile also has instructions on how to configure the connection: simply press F1 to read the helpfile.
Back to ContentsNov 21, 2005: Added Forticlient, successor of Sentinel.
Sep 28, 2004: Sentinel does not work on XP SP2. Will not be
fixed.
Jan 7, 2004: Sentinel has been sold. Updated links.
Aug 23, 2003: Reference to outdated Sentinel 1.2 (Internetpilot).
Jul 26, 2003: SoftRemote on Win9x/ME also works (but root cert
did not show up?).
Jun 23, 2003: Added SoftRemote instructions.
Apr 23, 2003: Added report of Netscreen-Remote.
Apr 13, 2003: Could not get NAT-T to work.
Apr 7, 2003: Verified: Sentinel 1.4 can get DNS and WINS
addresses automatically.
Mar 8, 2003: Tested myself, it works indeed. Added configuration
information.
Dec 27, 2002: Sentinel reported to work.
Dec 15, 2002: Pages created.